Facebook has dismissed allegations in The Sunday Times that the web giant's Android app can hoover text messages from phones as "creative conspiracy theorising".
Flatly denying the claim published by the broadsheet at the weekend, the social network's UK office said its app's ability to access text messages was open and …

Standard Android problem

Re: Standard Android problem

I agree a way to have the app but refuse some permissions would be an improvement but the rest of your comment is not true. Plenty of apps only request the permissions they need and I even have a few that request no permissions at all.

Re: Cyanogen

Re: Re: Standard Android problem

Mobile web for me too. Unfortunately the FB app is preinstalled on the latest HTC ROM update. I don't use it because of the SMS-reading issue, but there is a process under the FB app called UploadManager, which starts automatically and can't be turned off. I naturally wonder why they want permission to read my messages and what they're uploading to where.

Re: Re: Cyanogen

IIRC, one of the Android engineers specifically stated that this won't happen. It would potentially cause a wave of support requests and of crashing apps being voted down if they made this feature available in stock Android and it was utilised by the less than clueful.

Re: Re: Re: Cyanogen

It's too bad, because if people could block apps from having access that they don't need to do what they advertise, and then the apps crashed and then got downvoted, it might force the developers to build better apps that don't need access to your address book to show the time and date.

Re: Standard Android problem

Selective removal of permissions

If you're not afraid of rooting your phone, there are two excellent third-party solutions to this problem.

The first one is to install CyanogenMod. Then when you go to Settings --> Apps --> Manage Apps (or wherever you can view an app's details), at the bottom of the screen where the app's permissions are listed, tapping on any permission will toggle it. This is what Google should have added to Android in the first place.

Downside: this requires a factory reset.

A more elegant solution is LBE Privacy Guard, a simple app that requires root privileges but can otherwise be installed just like any other app on top of your existing system. Its permission management is not that fine-grained, but it has one huge advantage over CM - instead of actually giving the app a slap on the wrist when it attempts to use a permission that has been revoked, it'll intercept the API call and feed it false information.

I've used both solutions (separately) for some time and prefer LBE Privacy Guard because it's more elegant: ...

An app that wants to use a revoked privilege on CM will get an "access denied" message. Some apps aren't designed to cope with this and will crash.

An app guarded by LBE PG on the other hand will simply see an empty phone book, an empty message list, a phone serial number consisting of all zeroes, etc. depending on the permissions you've revoked. It's tricked into believing it still has the revoked privilege but there's simply no data worth looting.

In addition to granting and revoking permissions, LBE PG can also be set to ask or alert you each time an app wants to use a certain privilege.

mmmmm....can't be long before...

....FB automtically starts recording everything on a phone and around a phone when that phone is automatically seen (GPS wise) to have entered a "zone of interest." Somewhere between FB's "dormant code" and Google's "oops...rogue staff member" there's some right dodgy sh*t going down. I'm away to start polishing me tinfoil hat.

@ratfox

If you're testing something internally then why does the public available app request those permissions? You can do your internal test with a private version of the app installed from an internal server.

I don't use FB but if I did I would have rejected their app on the basis that it doesn't need that permission.

FaceBook with SMSs?

They'd better watch it, some places and providers don't include unlimited SMS as part of their plan. Sure, they're cheap on my contract, but enough of them will add up to a shock. Having just looked at the permissions requested (damn Xperia Mini is full of "social networking" rubbish that I don't want, and a lot of it starts at start-up (until I kill it, that is)), I'm less concerned FB can look at my texts and more concerned it wants the ability to send texts. This, filed rightly, under "Services which can cost you money"...

As for YouTube, the one on my phone doesn't claim a right to access the camera at all. I think it just tasks off the video recording job to the built in recorder - better that way as it would offer a consistent UI.

Re: Not evil just incompetent

One major reason many Android apps request far more permissions than necessary is that, if permissions change in a future update, the automatic update and "update all" features of Android won't work for that app and the update will need to be installed manually.

If Facebook were to provide a SMS service later on, users would need to go and manually install the new version. To make matters worse the "Update (manual)" message is shown in red as if it was some error. When faced with this many non-geek users will simply not install the update.

By simply requiring all foreseeable permissions from the start the app avoids this. It's bad practice but developers are stuck between a rock and a hard place with this one.

Meatvisor, the facebook app did not require this permission from that start. When the permission was introduced, people had to manually update (but some of us uninstalled instead) even though there was "no need" for the permission to be added.

Craigness, the Facebook app has been requesting that permission since version 1.5.4, launched April 2011. That's nearly a year ago.

At the time many got the manual update notice and choose to deinstall the app instead. This just reinforces my point: if companies make such permission changes so visible during updates, many users will either not update or worse - they'll *remove* the app. If a company just puts in all permissions from the start most won't ever notice.

Several phones come with the Facebook app already installed, many with the newer version where the SMS permission was already accepted. These users wouldn't even know the app could access their text messages.

Also can you explain the Youtube app needing access to the camera if not for future proofing?

Android's permissions may sound great in theory but recent news like this show that in practice the mechanism sucks. Sorry you can't see this.

I'm not an expert but I believe that already works.

For instance, I think Google Maps recently added an "NFC" permission - or something else did. As far as I remember, it was conspicuously highlighted. I don't have NFC hardware so I wasn't worried. But Google Maps uses a -lot- of permissions.

I generally don't allow any app to update automatically. If I did, then I assume that an added permission would stop that from happening. But to take that as an argument to install originally with permissions that your app -might- want to use some day is moronic, IMO.

Another option, I think, is to publish your app in different versions, with different permissions fOr each. But I don't know if you can replace one with another. Paid and free (ad-supported) product versions are an example: the "free" ediition needs to go to the Internet to download advertisements to show you, the paid product maybe doesn't require Internet permission.

I got my phone in April 2011 and I installed FB back then. The update for the SMS stuff was much later. They changed the permission and some people decided not to update, which shows that the permissions mechanism is awesome - I was using the old version of the app for ages and didn't have to worry about what FB could do to me! On lesser operating systems you just get what you're given.

Can you explain why the Youtube app has not requested every permission in the book?

Can you explain why developers, believing that people will not install the app if it requests permission to read their SMS, will make version 1.0 of the app request permission to read their SMS even if it doesn't use that permission? Some people decided not to update FB but there may have been others who updated it in spite of the new permission, simply because they had become accustomed to using the app and wanted the new functions. They might never have installed it if it had always required that permission.

Re: Re: Re: The fact that I wouldn't be surprised if it were true

If I look at my selection of "suggested" chat buddies in the bottom right of the facebook screen then most of them are people who have text me at some point recently. I understand if they have inboxed me on facebook, but SMS? Hmm.I was always cautious of this and raised this point with a mate who also doesn't trust it.

Oh, and I don't ever use facebook chat as i'm permanently offline.

I also hate the fact that if I leave GPS switched on but not active, logging into the app fires up my GPS for an obvious location report. I think I'll go the way of others and use the mobile site from now on.

Paranoia

BlackBerry

About six months ago I binned my BlackBerry in favour of Android. And I've found that the permissions handling on Android seems to be all about the app's author and not the device's owner.

An example: I used to use a newspaper app on my BlackBerry but not permit the connections it wanted to make in order to display in-line advertisements. I liked that capability but I'm pretty sure the authors didn't.

Not a bad thing

"The permissions issue is as much one for Google as Facebook: Apple's iOS walls off certain phone functions from third-party apps - including text messages and phone functions. But on Android phones that information is accessible to apps, provided the user agrees on downloading the app."

So in other words: Android allows apps to ask your permission to gain functionality that is impossible on iOS. Why are you trying to paint this as a bad thing? More capability is a GOOD thing, especially when it requires explicit permission from the user.

Re: Just say no

Re: Re: Just say no

There are not two separate camera permissions, one reading "allows the camera to record at any time" and "allows the camera to record when the users tells it to". If you don't trust Youtube you shouldn't trust any camera app for Android, because they all have the same goddamn permission.